I just found out that native SASL authz doesn't work with CRAM-MD5,
i.e. the bound identity remains that of the incoming authcDN;
with DIGEST-MD5 the bound identity is turned into that of the authzDN
specified via SASL. I'm not sso familiar with SASL details, but I thought
the authz did not depend on the specific mech.

Not all SASL mechanisms support proxy authorization...

I guessed something like that, and I was going to look for a means to detect
what mechs support it, because the idassert code currently assumes that
when
configured to use SASL method authz will be done natively by SASL.